Disable all file systems not actively used
Closed this issue · 1 comments
Scripts currently disable known file systems such as https://github.com/ovh/debian-cis/blob/master/bin/hardening/1.1.1.3_disable_hfs.sh
However, a new file system can be introduced which can perform malicious actions.
So for "Zero Trust" Least Privilege principles, I propose that our script
disable all file systems found and enable only those in an allowlist.
Hello,
Your logic is reasonable, however diverges from CIS documentation which uses a fixed list of common useless/dangerous FS to disable in the kernel.
Disabling all filesystems on the fly with CIS hardening would require to run a modular kernel, which would exclude de facto monolithic ones.
I prefer follow official CIS recommendations regarding this type of hardening.